DAVE KINSEY | Technology
Don’t Feed the Phishers
Managing IT security has many facets and layers. However, phishing continues to stand
out as likely the most persistent and dangerous threat of all. Moreover, it appears to be getting even worse. Awareness programs and training to help everyone identify phishing emails and how to handle them are essential components of any security management plan.
An awareness program succinctly reminds people what to look out for and what to do.  is might be imple- mented as a section in your employee handbook, some papers or posters on a few walls throughout the o ce, and an occasional email reminder. Train- ing may involve in-person or video training, which might be assigned. A simulated phishing campaign can be a particularly e ective training tech- nique where someone who clicks on a simulated bad link is directed to a site that provides training. Addition- ally, a report of who clicked when they shouldn’t have can be reviewed by management.
A single click can be all that it takes for malware to infect a system or worse. However, the “payload” may not be malware at all. It may be induc- ing someone to share information that should not be shared or perform a  - nancial transaction. A common scam that has been making the rounds is to have an email that purports to be sent from someone in the company to their assistant.  is message requests that they go to the store and get a number of gi  cards, scratch the cover
to reveal the codes, and reply to the email with those numbers.
 e phishers are getting much smarter at  guring
out the names and email addresses inside companies so that the requests appear legitimate. Automation and arti cial intelligence appear to be helping gather the correct informa- tion so that these scams seem can seem very believable. In addition to the gi  cards, scammers sometimes request wire transfers. In virtually all cases, the scammers convey a strong sense of urgency.  e goal is to con- vince the recipient of the email (or text message) that this is something that immediate action is required.  e phisher is counting on their target not to stop and ask questions.
One item that I’ve been working on with my clients to combat this is with a special noti cation that is automati- cally added to all email received from outside the company.  is noti cation alerts the recipient that the message came from an ** External Sender **.
 e noti cation text is highlighted with a yellow background to ensure that it stands out by providing a clear visual cue. Everyone should be look- ing out for phishing messages re- gardless if it is tagged as an external message. However, this noti cation provides an additional reason to treat these external messages with an ex- tra bit of suspicion. Of course, always treat messages that are caught in your spam  lter quarantine with a high de- gree of suspicion as well. Sometimes legitimate messages are accidentally
 agged as spam, but o en it may be a phishing email masquerading as a legitimate message. Never blindly release a suspected spam email and trust it.
 e phishers are continually im- proving their game, so we need to improve ours as well. If in doubt, as- sume that a message is not legitimate and take extra steps to validate it.  e quality of these phishing messages may be quite good and look legitimate when it is not. Put yourselves in the shoes of the phishing email creator. What might a “bad guy” try to fool you into doing? Click on a link? Send them money or gi  card codes? Re- veal con dential information? Expect deceptive emails, texts, or calls and be prepared to deal with them.
I recommend having an active company policy for dealing with sus- picious emails. With respect to sus-
pected phishing emails, company policy should be to avoid clicking on any links, opening any attach- ment, or responding to a suspected phishing email sender in any fashion.
Additionally, I recom- mend that company poli- cy be to forward any sus- picious email to your IT
support team with a noti cation that you’ve assumed it’s not legitimate and deleted the message, so this is just FYI or you would like con rmation that the message is legitimate or not.
Your IT should con rm if the mes- sage appears to be legit or not. If it is not, IT may be able to use this infor- mation to update your email  ltering blacklist and further improve your defenses.
A little proactive phishing preven- tion goes a long way toward improv- ing your IT security.
Dave Kinsey is the president and owner of Total Networks, the technology adviser to Arizona’s law  rms. Mr. Kinsey is on the technology committee for the State Bar of Arizona, has presented at several CLE seminars on the topics of technology security and data protection, and his team is the  rst and only Arizona IT company to earn the CompTIA Security Trustmark, certifying that Total Networks meets or exceeds security best practices.
ATTORNEY AT LAW MAGAZINE · PHOENIX· VOL. 11 NO. 3 20